Jeff, with the current version of SEC, you also have to provide action-on-expire for 'set' -- if only lifetime is provided, the action-on-expire will be cleared. This issue was actually recently discussed in this list, and since there have been no objections to changing the semantics of 'set', in the next version you have to indicate empty action-on-expire explicitly. In other words, your ruleset will work without changes for the next version :) BR, risto
> From: Jeff Schroeder <jeffschr...@gmail.com> > Subject: [Simple-evcorr-users] Problem using SingleWithThreshold > To: "SEC" <simple-evcorr-users@lists.sourceforge.net> > Date: Wednesday, October 7, 2009, 2:34 AM > The goal is for a context to be > triggered once >= 5 matches happen > within 60 seconds. If additional matches happen before the > context > becomes stale, the context should be extended for an > additional 30 > seconds. When the context becomes stale, a summary email > showing all > matched lines should be sent out containing all matching > entries. > > It seems that the contexts get created but it doesn't > always send > emails. When it does send emails, it only sends mails out > for 1 or two > of the contexts and I'm not sure why. > > Example log lines: > Sep 24 09:42:02.399 util3.wha01.dev1.int sshd[10552]: > Failed password > for admin from 10.107.24.195 port 46937 ssh2 > Sep 25 10:37:07.105 build1.qa1.int sshd[4481]: Failed > password for > moneymaker from 10.123.200.31 port 43842 ssh2 > Sep 30 17:27:56.247 init1.nyc22.int sshd[8156]: Failed > password for > codebuild from 10.122.221.187 port 59681 ssh2 > Sep 30 17:37:55.389 build1.qa1.int sshd[14437]: Failed > password for > invalid user jdoe from 10.107.21.161 port 50804 ssh2 > Sep 30 17:38:01.232 build1.qa1.int sshd[14437]: Failed > password for > invalid user jdoe from 10.107.21.161 port 50804 ssh2 > Oct 6 12:50:29.000 ops1.sys.adm1.int sshd[6964]: > Failed password for > tmales from 10.121.103.165 port 53182 ssh2 > > > ================================================== > # create the context on the initial triggering cluster of > events > type=SingleWithThreshold > ptype=RegExp > pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) > for > (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) > desc=Possible brute force attack (ssh) user $3 on $1 from > $4 > window=60 > thresh=5 > context=!SSH_BRUTE_FROM_$4 > action=create SSH_BRUTE_FROM_$4 60 (report > SSH_BRUTE_FROM_$4 /bin/mail > -s "ssh brute force attack on $1 from $4" syst...@mycompany.com); > add > SSH_BRUTE_FROM_$4 5 failed ssh attempts within 60 seconds > detected; > add SSH_BRUTE_FROM_$4 $0 > > # add subsequent events to the context > type=Single > ptype=RegExp > pattern=^.+\d+:\d+:\d+\.\d+ (.+) sshd\[\d+\]: Failed (.*) > for > (?:invalid user )?(.*?) from (\d+\.\d+\.\d+\.\d+) > desc=Possible brute force attack (ssh) user $3 on $1 from > $4 > context=SSH_BRUTE_FROM_$4 > action=add SSH_BRUTE_FROM_$4 "Additional event: $0"; set > SSH_BRUTE_FROM_$4 30 > ================================================== > > Example paste from sec.pl -input=- -debug=6 after > copy/pasting a bunch > of log entries into it and waiting a few: > Deleting stale context 'SSH_BRUTE_FROM_10.144.130.55' > Stale context 'SSH_BRUTE_FROM_10.144.130.55' deleted > Deleting stale context 'SSH_BRUTE_FROM_10.109.20.135' > Stale context 'SSH_BRUTE_FROM_10.109.20.135' deleted > Deleting stale context 'SSH_BRUTE_FROM_10.107.21.220' > Stale context 'SSH_BRUTE_FROM_10.107.21.220' deleted > Deleting stale context 'SSH_BRUTE_FROM_10.107.24.195' > Stale context 'SSH_BRUTE_FROM_10.107.24.195' deleted > Deleting stale context 'SSH_BRUTE_FROM_10.107.24.38' > Reporting the event store of context > 'SSH_BRUTE_FROM_10.107.24.38' > through shell command '/bin/mail -s "ssh brute force attack > on > util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com > Child 25908 created for command '/bin/mail -s "ssh brute > force attack > on util3.wha01.dev1.int from 10.107.28.38" syst...@mycompany.com' > Stale context 'SSH_BRUTE_FROM_10.107.28.38' deleted > > > What am I doing wrong? > > Thanks > > -- > Jeff Schroeder > > Don't drink and derive, alcohol and analysis don't mix. > http://www.digitalprognosis.com > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference > in SF, CA > is the only developer event you need to attend this year. > Jumpstart your > developing skills, take BlackBerry mobile applications to > market and stay > ahead of the curve. Join us from November 9 - 12, 2009. > Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
